Cloudflare’s 1.1.1.1 promises to make DNS more secure

Post navigation

On April Fools’ Day Cloudflare launched a new public DNS (Domain Name System) service using the memorable network address 1.1.1.1.

Far from being a joke, the address and launch date look like clever marketing (1.1.1.1 echoes the date 4/1, as well as Google’s 8.8.8.8 DNS resolver and the Global Cyber Alliance’s 9.9.9.9) – grist to the mill of the claim that internet users who use the service for DNS will see snappier performance compared to that offered by most ISPs. (Bad Packets tested 1.1.1.1 from the UK, publishing its results on Twitter for anyone who’s interested in this topic.)

ISPs can monitor DNS usage easily, in two ways: by running a DNS resolver and logging the requests it receives or, if customers choose to use somebody else’s DNS service, by reading the unencrypted DNS requests passing through its network.

Matthew Prince, Cloudflare CEO, explains:

What many internet users don’t realize is that even if you’re visiting a website that is encrypted – has the little green lock in your browser – that doesn’t keep your DNS resolver from knowing the identity of all the sites you visit.

How might 1.1.1.1, a resolver that will know the identity of the sites you visit, make a difference to this?

In several ways, Cloudflare says, starting with the fact that the company itself has promised not to monitor DNS queries made through its servers, wiping logs within 24 hours and not recording IP addresses.

That’s reassuring but doesn’t address the fundamental problem that even when a user submits DNS queries to 1.1.1.1 it is still possible for ISPs to see which internet domains the user is visiting.

For that reason, Cloudflare is supporting a number of emerging DNS security standards, starting with something called DNS Query Name Minimisation.

Proposed to the IETF as RFC8198, the standard aims to minimise the amount of data passed upstream during DNS resolution.

Encrypted DNS queries

Significantly, 1.1.1.1 will support emerging standards for encrypting DNS queries, DNS-over-HTTPS and DNS-over-TLS.

It’s still early days for these but what matters is that they both require support by browser makers and DNS services.

Bang on cue, Mozilla recently announced that it is testing DNS-over-HTTPS in Firefox in conjunction with – you guessed – Cloudflare. Google, meanwhile, started testing DNS-over-TLS on Android some time ago.

Not everyone is happy about Firefox sending DNS queries to Cloudflare (how can we be sure that we can trust Cloudflare?), but the same argument could be made about any security where the user must depend on the trustworthiness of a server.

The other way to encrypt DNS queries today is to use a VPN but that simply hides the DNS queries from your ISP and shares them with your VPN provider instead.

They won’t know they’re GETs (for all that it would be a good guess) and won’t know which URIs the user was interested in because the HTTP requests are inside the encrypted TLS data stream. But they will indeed see all IP:PORT destinations, plus the setup packets for every TLS session.

This also gives them a greater ability to censor the internet as well, which they’re apparently interested in doing, as they personally see fit. Now not only can they let sites die, they can stop you from even resolving their addresses! Nothing to see here, move along. As little as I trust Google, at least they’ve been consistent about not filtering DNS results. Can we trust a company like Cloudfare to do the same? Doubting it.

The counter argument is that without DNS over TLS, anyone (an ISP, say) can monitor or block sites. Can’t see that trusting Cloudflare makes that situation worse. Over time, it’s likely more DoT providers will appear – the technology is bigger than one company or browser.

At the moment, the UTM products support DNS via UDP only, which precludes us supporting DNS over TLS right now. We’re looking into changing that, but AFAIK we haven’t decided any of the if/why/what/when questions yet, so I can’t tell you any more than that. HtH.